Insecure Web Proxy Serversby Noel Davis
Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at insecure Web Proxy
Servers; buffer overflows in
gnujsp, the NetBSD kernel,
jmcce, the IRIX Unified Name
Service Daemon, and Chuid.
- Insecure Web Proxy Servers
- Squid HTTP Proxy
- NetBSD Kernel
- IRIX Unified Name Service Daemon
Some insecurely-configured Web proxy servers can be exploited by a remote attacker to make arbitrary connections to unauthorized hosts. Two common abuses of a misconfigured proxy server are to use it to bypass firewall restrictions and to send spam email. A server is used to bypass a firewall by connecting to the proxy from outside the firewall and then opening a connection to a host inside the firewall. A server is used to send spam by connecting to the proxy and then having it connect to a SMTP server. It has been reported that many Web proxy servers are distributed with insecure default configurations.
Users should carefully configure Web proxy servers to prevent unauthorized connections. It has been reported that http://www.monkeys.com/security/proxies/ contains secure configuration guidelines for many Web proxy servers. We can not verify the accuracy of this information, and if there are any questions users should contact their vendors.
ncurses 5.0 is vulnerable to a buffer overflow that may, under some
circumstances (a set user id or set group id application linked to
ncurses 5.0), be exploitable by an attacker to execute arbitrary code
with unauthorized permissions. Red Hat Linux has reported that the
ncurses 4 libraries shipped with Red Hat Linux 7.0, 7.1, and 7.2 are
vulnerable to this buffer overflow, but that in a default installation
they cannot be exploited to gain additional privileges.
It is recommended that users upgrade their
ncurses library to a
repaired version. Red Hat has made repaired packages available for
their version of
The Squid HTTP proxy server is vulnerable to a denial-of-service
attack and a buffer overflow that may be exploitable by a remote
attacker to execute arbitrary code with the permissions of the user
executing Squid. The denial-of-service attack vulnerability is in
Squid's SNMP interface. The buffer overflow is in the code that
handles FTP URLs, and can also be used in a denial-of-service attack.
In addition, there is a bug in the HTCP interface that prevents it from
being disabled if it is disabled in the
squid.conf file. These
vulnerabilities have been reported to affect versions of Squid through
The developers of Squid have released Squid-2.4.STABLE4 and it is recommended that all users upgrade as soon as possible.
gnujsp, an application that executes Java source code when it is
inserted into a Web page, has a bug that can be exploited to read
the contents of arbitrary directories and files on the server and can
bypass HTTPD file and directory restrictions.
Users should upgrade
gnujsp to a repaired version.
A vulnerability has reported in versions of NetBSD released prior to
January 14, 2002 that may be usable by a local attacker to gain root
permissions. The attack is used with a set user id binary and
ptrace to modify the address space of the process.
The NetBSD Security Officer recommends that users upgrade or patch their kernel. It is also strongly recommended that that users of early versions of NetBSD, such as NetBSD-1.3.x, upgrade to a recent release.
jmcce, a program that is used to provide a Linux console in Chinese
characters, is vulnerable to a temporary-file symbolic-link race
condition that can be used to overwrite any file on the system.
Users should contact their vendor for an updated package. Users
should also consider restricting access to
jmcce to trusted users
until it has been updated.
The Hangul terminal application
hanterm is an X11 terminal application
that reads and displays Korean characters. It is vulnerable to a
buffer overflow that can be exploited to execute code with the
permissions of the
utmp group. An attacker that can execute code as
utmp group can write arbitrary information to the
files that are user to log login information.
Users should watch for a patch to
hanterm that fixes this
vulnerability, and should consider restricting access to trusted
The IRIX unified name service daemon
nsd has a bug in the function that
limits the size of the cache. This bug can be remotely exploited,
nsd's cache to grow until it fills the file system, resulting
in a denial of service. SGI reports that this bug is present in the
default installation of IRIX 6.5.4m/f through 6.5.11m/f.
SGI reports that the bug in
nsd has been repaired in IRIX version
Chuid, a utility that allows non-Web-server owned PHP scripts to upload files when the PHP server is configured to use safe mode, has vulnerabilities that can be abused to change the user id of files outside the compile-time-specified upload directory and in some cases, change root-owned files.
It is recommended that users upgrade to version 1.3 of Chuid.
ripMime is a mail filtering application. There is a buffer overflow
ripMime that may be exploitable by a local attacker to obtain
increased privileges. The buffer overflow is in the code that handles
file names, and is reported to affect versions 1.2.6 and earlier of
Affected users should upgrade to the latest release of
ripMime as soon
Read more Security Alerts columns.
Return to the Linux DevCenter.